I just recently to perform a forensic analysis on a compromised Microsoft Azure VM, and I’d like to share a couple of useful tips.
Microsoft Windows uses a paging file, called pagefile.sys, to store page-size blocks of memory that do not current fit into physical memory. This file, stored in %SystemDrive%\pagefile.sys is a hidden system file and it can never be read or accessed by a user, including Administrator.
A good wiping tool is available in all Windows systems since Windows 2000
Malware analysis and digital forensic analysis are processes that often needs the analyst to look into system memory.In this regard, a good analyst must have at least a base knowledge of Windows Memory Management.
Some months ago I’ve written a brief post about code injection on Windows using python. Some readers asked me if the code proposed in the post (which calls standard windows API) is portable on other languages.